screen
Syntax
screen {
ids-option name {
aggregation {
destination-prefix-mask destination-prefix-mask;
destination-prefix-v6-mask destination-prefix-v6-mask;
source-prefix-mask source-prefix-mask;
source-prefix-v6-mask source-prefix-v6-mask;
}
alarm-without-drop;
description (Security Screen) description;
icmp (Security Screen) {
flood (Security ICMP) <threshold ICMP packets per second>;
fragment;
icmpv6-malformed;
ip-sweep <threshold microseconds in which 10 ICMP packets are detected>;
large;
ping-death;
}
ip (Security Screen) {
bad-option;
block-frag;
ipv6-extension-header {
AH-header;
destination-header {
home-address-option;
ILNP-nonce-option;
line-identification-option;
tunnel-encapsulation-limit-option;
user-defined-option-type name {
to type-high;
}
}
ESP-header;
fragment-header;
HIP-header;
hop-by-hop-header {
CALIPSO-option;
jumbo-payload-option;
quick-start-option;
router-alert-option;
RPL-option;
SMF-DPD-option;
user-defined-option-type name {
to type-high;
}
}
mobility-header;
no-next-header;
routing-header;
shim6-header;
user-defined-header-type name {
to type-high;
}
}
ipv6-extension-header-limit ipv6-extension-header-limit;
ipv6-malformed-header;
loose-source-route-option;
record-route-option;
security-option;
source-route-option;
spoofing;
stream-option;
strict-source-route-option;
tear-drop;
timestamp-option;
tunnel (Security Screen) {
bad-inner-header;
gre {
gre-4in4;
gre-4in6;
gre-6in4;
gre-6in6;
}
ip-in-udp {
teredo;
}
ipip {
dslite;
ipip-4in4;
ipip-4in6;
ipip-6in4;
ipip-6in6;
ipip-6over4;
ipip-6to4relay;
isatap;
}
}
unknown-protocol;
}
limit-session {
by-destination {
by-protocol {
icmp {
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
tcp {
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
udp {
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
}
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
by-source {
by-protocol {
icmp {
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
tcp {
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
udp {
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
}
maximum-sessions maximum-sessions;
packet-rate packet-rate;
session-rate session-rate;
}
destination-ip-based destination-ip-based;
source-ip-based source-ip-based;
}
match-direction (input | input-output | output);
tcp (Security Screen) {
fin-no-ack;
land;
port-scan <threshold microseconds in which 10 attack packets are detected>;
syn-ack-ack-proxy <threshold un-authenticated connections>;
syn-fin;
syn-flood {
alarm-threshold requests per second;
attack-threshold proxied requests per second;
destination-threshold SYN pps;
source-threshold SYN pps;
timeout (Security Screen) seconds;
white-list name {
destination-address [ destination-address ... ];
source-address [ source-address ... ];
}
}
syn-frag;
tcp-no-flag;
tcp-sweep <threshold microseconds in which 10 TCP packets are detected>;
winnuke;
}
udp (Security Screen) {
flood (Security UDP) {
threshold UDP packets per second;
white-list [ white-list ... ];
}
port-scan <threshold microseconds in which 10 attack packets are detected>;
udp-sweep <threshold microseconds in which 10 UDP packets are detected>;
}
}
traceoptions (Security Screen) {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
trap <interval seconds>;
white-list name {
address [ address ... ];
}
}
Hierarchy Level
[edit security], [edit tenants tenant-name security]
Description
Configure the security screen options. For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful.
Options
ids-options screen-name |
Name of the screen configured at
the |
trap |
Configure trap interval. Enable or disable the sending of Simple Network Management Protocol (SNMP) notifications when the state of the connection changes. Traps are unsolicited messages sent from an SNMP agent to remote network management systems or trap receivers. |
white-list |
Set of IP addresses for allowlist. Configure an allowlist of IP addresses that are to be exempt from the SYN cookie and SYN proxy mechanisms that occur during the SYN flood screen protection process. An allowlist contains known trusted IP addresses and URLs. Content downloaded from locations on the allowlist does not have to be inspected for malware. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.
The description option added in Junos OS Release 12.1.
The tenant option is introduced in Junos OS Release 18.3R1.